Skip to main content

Hexpm CVE-2026-23940

| EUVDEUVD-2026-12050 HIGH
Uncontrolled Resource Consumption (CWE-400)
2026-03-13 EEF
7.1
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

4
Patch released
Apr 06, 2026 - 17:17 nvd
Patch available
EUVD ID Assigned
Mar 13, 2026 - 16:57 euvd
EUVD-2026-12050
Analysis Generated
Mar 13, 2026 - 16:57 vuln.today
CVE Published
Mar 13, 2026 - 16:07 nvd
HIGH 7.1

DescriptionCVE.org

Uncontrolled Resource Consumption vulnerability in hexpm hexpm/hexpm allows Excessive Allocation. Publishing an oversized package can cause Hex.pm to run out of memory while extracting the uploaded package tarball. This can terminate the affected application instance and result in a denial of service for package publishing and potentially other package-processing functionality.

This issue affects hexpm: before 495f01607d3eae4aed7ad09b2f54f31ec7a7df01; hex.pm: before 2026-03-10.

AnalysisAI

An uncontrolled resource consumption vulnerability in the Hex.pm package manager allows authenticated attackers to cause denial of service by uploading oversized packages that exhaust server memory during extraction. The vulnerability affects hexpm versions before commit 495f01607d3eae4aed7ad09b2f54f31ec7a7df01 and hex.pm installations before March 10, 2026, with a CVSS 4.0 score of 7.1 indicating high availability impact. No active exploitation has been reported (not in KEV), no public proof-of-concept exists, and EPSS data is not available.

Technical ContextAI

Hex.pm is the package manager for the Erlang ecosystem, used to host and distribute Erlang and Elixir packages. The vulnerability stems from CWE-400 (Uncontrolled Resource Consumption), where the application fails to properly limit memory allocation when processing uploaded package tarballs, allowing malicious actors to upload specially crafted oversized packages that consume excessive memory during the extraction phase. This affects the core package publishing and processing functionality of the hex.pm service, potentially impacting the entire Erlang/Elixir development ecosystem that relies on this infrastructure.

RemediationAI

Organizations running hex.pm instances should upgrade to versions containing commit 495f01607d3eae4aed7ad09b2f54f31ec7a7df01 or ensure their deployment is updated to post-March 10, 2026 releases. As an interim mitigation, administrators should implement package size limits at the web server or load balancer level, monitor memory usage patterns for anomalies during package uploads, and consider implementing rate limiting for package publishing operations to prevent rapid successive attempts at resource exhaustion.

Share

CVE-2026-23940 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy